On Fri, 2025-10-24 at 16:33 -0700, Jakub Kicinski wrote:
On Fri, 24 Oct 2025 12:11:11 +1000 Wilfred Mallawa wrote:
In the previous record_size_limit approach for TLS 1.3, we need to account for the ContentType byte. Which complicates get/setsockopt() and tls_get_info(), where in setsockopt() for TLS 1.3 we need to subtract 1 to the user provided value and in getsockopt() we need add 1 to keep the symmetry between the two (similarly in tls_get_info()). The underlying assumption was that userspace passes up directly what the endpoint specified as the record_size_limit.
With this approach we don't need to worry about it and we can pass the responsibility to user-space as documented, which I think makes the kernel code simpler.
But we haven't managed to avoid that completely:
- if (value < TLS_MIN_RECORD_SIZE_LIM - (tls_13 ? 1 : 0) ||
I understand the motivation, the kernel code is indeed simpler.
Last night I read the RFC and then this patch, and it took me like 10min to get all of it straight in my head. Maybe I was tried but I feel like the user space developers will judge us harshly for the current uAPI.
I am open to reverting this to `record_size_limit` in that case. I think the only trade off is just a bit more complexity in the kernel side for the additional checks. Does that sound good to you Jakub/Sabrina?
Regards, Wilfred